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August 4, 2006 

The Honorable Rob Simmons 
Chairman 

Subcommittee on Intelligence, Information 
Sharing and Terrorism Risk Assessment 
Committee on Homeland Security 
House of Representatives 

Subject: Transportation Security Administration's Office of Intelligence: Responses 
to Posthearing Questions Regarding Secure Flight 

Dear Mr. Chairman: 

This letter responds to your request for additional information related to the 
subcommittee's June 14, 2006, hearing on the progress and challenges of the 
Transportation Security Administration's (TSA) Office of Intelligence. Enclosed are 
our responses to the supplemental questions you submitted for the record. Our 
responses are based largely on information contained in our report entitled Aviation 
Security: Secure Flight Development and Testing Under Way, but Risks Should Be 
Managed as System Is Further Developed (GAO-05-356, March 28, 2005), and our 
testimonies entitled Aviation Security: Significant Management Challenges May 
Adversely Affect Implementation of the Transportation Security Administration's 
Secure Flight Program (GAO-06-374T, February 9, 2006), and Aviation Security: 
Management Challenges Remain for the Transportation Security Administration's 
Secure Flight Program (GAO-06-864T, June 14, 2006). 

As discussed in my statement at the hearing, for over 3 years, TSA has faced 
numerous challenges in developing a federal passenger precreeening program, 
known currently as Secure Flight, because TSA did not follow a disciplined life cycle 
development approach. Although TSA made some progress, it suspended the 
program's development earlier this year to reassess program direction, and it 
anticipates completing the reassessment by the end of September 2006. Whatever 
direction Secure Flight takes, TSA needs to follow a disciplined system development 
approach that fully defines system requirements, schedule, and costs; coordinate with 
critical stakeholders; ensure system effectiveness through assessing name-matching 
technologies and policies to match passenger and terrorist watch list data; conduct 
stress and end-to-end testing that verifies that the entire system functions as 
intended; and establish privacy protocols and access to a redress process. 
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If you have any further questions or would like to discuss any of the issues in more 
detail, I can be reached at (202) 512-3404 or berrickc@gao.gov. 



Sincerely yours, 




Cathleen A. Berrick 
Director 

Homeland Security and Justice Issues 
Enclosure — 1 
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Response to Supplemental Questions 
for the 

Subcommittee on Intelligence, Information Sharing, 
and Terrorism Risk Assessment, 
Committee on Homeland Security, 
House of Representatives 
Hearing on 
The Transportation Security Administration 's 
Office of Intelligence: Progress and Challenges 
June 14, 2006 



1. Ms. Berrick, what benefits will Secure Flight provide, once developed, over the 
current passenger prescreening process managed by air carriers? 

Answer: 

Until the Transportation Security Administration (TSA) completes its Secure Flight 
rebaselining efforts 1 and decisions are made regarding the future direction of the 
program, the specific goals or benefits expected from Secure Flight over the current 
air carrier prescreening are uncertain. However, TSA officials have stated in the past 
that Secure Flight would 

• transfer the passenger name-matching process from the air carriers to the 
federal government, 

• provide a uniform and consistent prescreening name-matching process by 
using the same name-matching technology, 

• utilize more exhaustive watch list information than is currently provided to the 
air carriers, and 

• maintain a tighter control over sensitive security terrorist watch list 
information by eliminating the need to distribute it outside of the federal 
government. 

As we stated in our February 2006 testimony, over the last 3 years TSA has faced a 
number of challenges in developing and implementing Secure Flight to ensure the 
program operates effectively. Key factors that could influence the effectiveness of 
Secure Flight remain to be finalized or resolved. More specifically, we stated that the 
program's effectiveness would be dependent on TSA: 

• assessing name-matching technologies that would be used to vet passenger 
names against names in the Terrorist Screening Database (TSDB) to learn 



1 In early 2006, TSA suspended development of Secure Flight and initiated a reassessment, or rebaselining, of the 
program. As of July 2006, TSA was continuing with its rebaselining efforts, which it expects to complete before the 
end of September 2006. 



Page 3 



GAO-06-1051R Response to Posthearing Questions 



Enclosure 1 



more about how these technologies would perform in an operational 
environment, 

• performing stress testing to determine the system's capabilities to handle 
peak data loads to identify the relative volume of passengers who can be 
identified as potential matches against the database, and 

• undertaking a comprehensive end-to-end testing to verify that the entire 
system would function as intended. 

2. Ms. Berrick, your February 2006 Senate testimony made clear that the success 
of Secure Flight depends a great deal on the accuracy and completeness of 
records contained within the Terrorist Screening Center's "master" terrorist 
watch list — the Terrorist Screening Database (TSDB). As you know, the 
Department of Justice Inspector General found significant problems with the 
accuracy and completeness of the TSDB last June. To your knowledge, what 
progress has the Terrorist Screening Center (TSC) made in this area, and what 
is TSA doing to help ensure the accuracy of name matches against the TSDB? 

Answer: 

In June 2005, the Department of Justice's Office of the Inspector General reported 
that TSC could not ensure the completeness and accuracy of the data in the TSDB. 
Since that time, TSC officials stated that they have established processes to help 
ensure that the records within the TSDB, which may be required for Secure Flight, 
are as accurate and complete as possible. These processes include 

• conducting a record-by-record review that should improve the quality of 
the TSDB records, 

• updating procedures for daily review of each new or modified record, and 

• using automated rules to check the completeness of records received from 
other agencies. 

As of June 2006, this record-by-record review was still ongoing. 

In addition, GAO currently has ongoing reviews of screening agencies' use of TSDB 
data that will provide additional information on TSC efforts to improve the quality of 
its records and how these efforts could possibly affect the end users of these data. 
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3. In your view, Ms Berrick, how central is TSA's Office of Intelligence to the 
success of the Secure Flight program, and why? 

Answer: 

Currently, TSA's Office of Intelligence serves as a liaison between the intelligence 
community and the air carriers who use the terrorist watch list information in their 
prescreening of passengers. Specifically, the Office of Intelligence receives watch 
list data from the Terrorist Screening Center, prepares it for distribution to the air 
carriers, and sends it to the Transportation Security Operations Center, which in turn 
posts it to a secure Web site that is accessed by the air carriers for use in their name- 
matching processes. When an air carrier cannot resolve a potential match during its 
prescreening process, the air carrier contacts an Office of Intelligence analyst for 
assistance in resolving the potential match. If needed, the Office of Intelligence also 
contacts Terrorist Screening Center analysts who can access additional information to 
try to resolve the potential match. As a result, the Office of Intelligence plays a key 
role in current program operations. 

Until TSA completes its Secure Flight rebaselining efforts and decisions are made 
regarding the future direction of the program, the role of the Office of Intelligence 
and its relationship with Secure Flight is uncertain. However, Secure Flight's draft 
June 2005 concept of operations stated that the program would employ its own 
analysts to conduct the manual reviews of passenger names that were potential 
matches against the watch lists as a result of the Secure Flight automated matching 
process. If assistance was needed in adjudicating a match, these analysts would notify 
the Terrorist Screening Center. These analysts would also notify the Office of 
Intelligence of potential passenger matches so it could conduct situational awareness 
with the air carrier, and when any inhibited boarding pass was released to a no-fly 
passenger who had been cleared through the process. 

4. Ms. Berrick, you testified in February that in addition to TSA's Secure Flight 
program, Customs and Border Protection (CBP) was developing a passenger 
prescreening program to match the names of international travelers bound for 
the U.S. against terrorist watch lists before their flight departs for the U.S. How 
are TSA and CBP working together, if at all, to coordinate these programs? 

Answer: 

As part of its ongoing rebaselining of the Secure Flight program, TSA has stated that 
it is collaborating with CBP to provide "one face" to air carriers for domestic and 
international passenger prescreening, that is, a strategic alignment that will allow for 
the collection and transmission of passenger data in a unified manner and at a uniform 
contact point to address issues that arise during either domestic or international 
prescreening processes. In July 2006, TSA officials stated that they had been meeting 
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weekly with CBP to discuss their coordination efforts, but did not provide 
information on the actions being discussed. 

Further, in announcing CBP's Notice of Proposed Rulemaking for its Advance 
Passenger Information System (APIS), CBP reaffirmed the Department of Homeland 
Security's commitment to a common reporting process for the airline industry 
through APIS and TSA's Secure Flight program. CBP and TSA plan to continue 
their coordination of Pre-Departure APIS for international flights and Secure Flight 
for domestic flights by leveraging information gained during the Pre-Departure APIS 
Notice of Proposed Rulemaking. It is anticipated that TSA and CBP's joint efforts 
will allow for the prescreening function to occur through coordinated information 
connections and avoid duplication of communications, programming, and information 
requirements. Nevertheless, until TSA completes its rebaselining, how and when 
TSA and CBP's passenger prescreening programs will be coordinated remains 
uncertain. 



5. Ms. Berrick, your February testimony before the Senate mentions that TSA and 
TSC should conduct joint exercises to further understand "the effectiveness of 
using intelligence analysts to clear misidentified passengers during Secure Flight 
operations." What additional joint exercises are you aware of since this past 
February, and what kinds of exercises — in your view — would assist TSA's Office 
of Intelligence as it gears up to support Secure Flight? What basic questions 
should TSA and the TSC be striving to answer at this point? 

Answer: 

When TSA began rebaselining Secure Flight in February 2006, it suspended 
development and testing of the program. However, prior to rebaselining, TSA had 
conducted development and testing activities with key stakeholders, including the 
joint exercises with TSC analysts. Although we encourage TSA to continue its 
coordination with major stakeholders — including TSC — in order to develop an 
effective and efficient passenger prescreening program, it would be premature to 
speculate about the nature of testing needed until TSA announces its rebaselined 
program. As TSA continues its rebaselining and before it resumes development and 
testing, TSA, in collaboration with stakeholders including TSC, should address 
several questions that are fundamental to Secure Flight's effectiveness, including: 

• What passenger data should Secure Flight collect to provide the best possible 
results when matched against data contained in the no-fly and selectee lists, 
which are derived from the TSDB? 

• What TSDB data attributes will be provided by the TSC and what name 
matching technologies will Secure Flight use to compare the passenger data 
with the TSDB no-fly and selectee watch lists? 
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• What manual review policies and procedures will be established by TSA and 
TSC to determine whether a potential match returned from Secure Flight's 
automated matching process is a false positive or an actual match against the 
watch list? 



6. Ms. Berrick, to your knowledge, is TSA's Secure Flight development team 

planning to increase the number of TSA analysts on staff to help administer the 
Secure Flight program? What sense do you have about TSA's capacity to 
handle the name matching process that will be required under Secure Flight if a 
passenger name cannot be differentiated from a terrorist included on the watch 
list? 



Answer: 

TSA's Secure Flight draft June 2005 concept of operations describes TSA's plans at 
that time for resolving potential passenger name matches to the terrorist watch list. 
While the concept of operations did not identify the number of analysts required, TSA 
officials had stated that they planned to use their own intelligence analysts who were 
currently involved in other people screening programs, such as the crew vetting 
program. As envisioned in 2005, Secure Flight operational testing was to begin with 
two air carriers, which TSA thought they could service with their current analyst staff 
or contractors and also provide the experience needed to more accurately determine 
the number of analysts needed for full operations. Until TSA completes its 
rebaselining of Secure Flight and establishes specific system requirements, TSA 
cannot determine the workload and number of analysts that will be required for the 
program. Further, without established system requirements and more concrete results 
from TSA's testing of the automated matching system, we can not assess TSA's 
capacity to manually review the potential passenger name matches for air carrier 
operations in a timely manner. 

7. Ms. Berrick, you reported to the Senate Commerce Committee in February that 
TSA had not yet clearly identified the privacy impacts of Secure Flight "or the 
full actions it plans to take to mitigate them." What should this Committee be 
looking at to ensure that if Secure Flight moves forward, that privacy is properly 
taken into account? 



Answer: 

In our previous reports and testimonies on Secure Flight, we recommended that TSA 
integrate privacy and other passenger rights protections into all aspects of Secure 
Flight operations. Such protections include statutory requirements, such as the 
Privacy Act, and the Fair Information Practices, a set of internationally recognized 
privacy principles that limit the collection, use, and disclosure of personal 
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information by federal agencies. In monitoring this aspect of Secure Flight's 
development, the committee could review TSA's system of records notice and the 
privacy impact assessment that TSA plans to complete as part of Secure Flight's 
rebaselining and continued system development. These documents will describe how 
TSA considered privacy in the development of the system, and how it will protect 
passenger data once the system becomes operational. 

In addition, the committee could review TSA's plans for redress for passengers 
affected by Secure Flight. As we stated in our February and June 2006 testimonies, 
TSA currently provides individuals with an opportunity to seek redress, including a 
process for passengers who experience delays under the current name matching 
conducted by the air carriers. However, it is not clear if this current system will be 
used for Secure Flight or be able to accommodate redress related specifically to the 
operation of Secure Flight. 

In July 2006, TSA officials reiterated that they plan to address privacy and redress 
concerns as they rebaseline and further develop Secure Flight. Their system of 
records notice, privacy impact assessment, and plans for redress will be put forth 
along with their announcement of the rebaselined program or a rulemaking that is 
supposed to, among other things, describe the passenger data to be provided by air 
carriers. 

8. Ms. Berrick, you note in your prepared statement today that Secure Flight "was 
neither intended nor designed to address" the situation where a person has 
assumed another person's identity through identity theft. In recent weeks, we 
have learned that millions of veterans may have had their names and Social 
Security numbers stolen from the home of a Department of Veterans Affairs' 
contractor. Given this development, should TSA be exploring some sort of 
identity theft safeguards as part of the Secure Flight rebaselining effort? What 
recommendations, if any, do you have in this regard? 

Answer: 

Secure Flight was designed to take over the passenger prescreening responsibility, or 
the matching of passenger data against terrorist watch lists prior to a passenger 
receiving a boarding pass from the air carriers. TSA officials have stated that Secure 
Flight represents only one layer of security within the aviation infrastructure and is 
not designed or intended to protect against all vulnerabilities, such as identity theft. 
While TSA has recognized that identity theft is a vulnerability for Secure Flight, the 
extent to which it will be addressed under the rebaselined program remains unknown. 
However, we believe that this important issue, which will affect Secure Flight's 
effectiveness, will also affect other Department of Homeland Security programs and, 
therefore, should be addressed by TSA. We do not have any specific 
recommendations on how TSA should address this vulnerability at this time. 
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9. Ms. Berrick, you state in your prepared remarks that GAO is supportive of the 
rebaselining of the Secure Flight program. In your view, what principles should 
guide TSA's efforts to get the program right, and what role does TSA's Office of 
Intelligence have in this regard? 

Answer: 

There are several interrelated principles that should guide TSA in its development and 
implementation of the passenger prescreening program. These principles are 

1 . development of a program using the sound management principles in 
TSA's System Development Life Cycle, including development of 
program goals and requirements, a schedule and the associated costs for 
attaining those goals, and an effective program for securing the system 
and its data; 

2. development of a system that maximizes the accuracy and completeness 
of the data used and the effectiveness of the automated tools and manual 
processes used for name matching; 

3. coordination with stakeholders, including CBP, TSC, and air carriers; and 

4. establishment of privacy protocols, protection of passenger rights, and 
access to redress for passengers impacted by Secure Flight. 

TSA has not made clear the role and relationship of the Office of Intelligence in its 
efforts to rebaseline the Secure Flight program. 

10. Ms. Berrick, over the last three years, GAO's numerous reports and testimonies 
on Secure Flight have highlighted significant challenges. What do you believe 
are the most formidable challenges facing TSA's efforts with Secure Flight, and 
what do you believe TSA must do to overcome these challenges? How central is 
the role for TSA's Office of Intelligence in getting Secure Flight "right" and how 
should it be coordinating its efforts with the Terrorist Screening Center and 
other entities in this regard? 

Answer: 

Based on our Secure Flight work over the last three years, four key challenges have 
been identified that are directly related to principles discussed in our response to the 
previous question. These challenges are 

1 . developing, managing, and overseeing the program through a 

comprehensive System Development Life Cycle plan that would include 
establishing program goals and systems requirements, developing cost and 
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schedule estimates that reflect all aspects of the program, and designing a 
security program that protects the system and the data it uses; 

2. addressing key factors that will affect the effectiveness of Secure Flight in 
identifying individuals on the no-fly and selectee lists that include 

(1) assessing passenger name-matching technologies and policies that will 
be used to match passenger names against terrorist watch list data, (2) 
conducting stress testing to determine how Secure Flight would handle 
peak data volumes, and (3) performing comprehensive end-to-end 
operational testing to determine that the system performs as intended; 

3. coordinating with federal and private sector stakeholders, such as CBP, 
TSC, and air carriers, that play a critical role in collecting, transmitting, 
and analyzing the data needed for Secure Flight operations; and 

4. minimizing program impacts on passenger privacy, protecting passenger 
rights, and providing access to redress for passengers affected by Secure 
Flight. 



Until TSA completes rebaselining Secure Flight and establishes specific system 
requirements, it is difficult to determine the exact roles that TSA's Office of 
Intelligence, TSC, and other stakeholders will fulfill. However, no matter what 
the outcome of TSA's rebaselining is, the Office of Intelligence and TSC will 
likely play an important role in determining whether passengers' names that have 
been matched to a name contained in the TSDB are actual matches. For the 
Office of Intelligence and TSC to function as part of Secure Flight, TSA will need 
to determine the level of staff support that it will require for each entity so that 
vetting outcomes can be handled in a timely manner. 
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